use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.
the class DaneVerifier method verifyCertificateChain.
/**
* Verifies a certificate chain to be valid when used with the given connection details using DANE.
*
* @param chain A certificate chain that should be verified using DANE.
* @param hostName The DNS name of the host this certificate chain belongs to.
* @param port The port number that was used to reach the server providing the certificate chain in question.
* @return Whether the DANE verification is the only requirement according to the TLSA record.
* If this method returns {@code false}, additional PKIX validation is required.
* @throws CertificateException if the certificate chain provided differs from the one enforced using DANE.
*/
public boolean verifyCertificateChain(X509Certificate[] chain, String hostName, int port) throws CertificateException {
DNSName req = DNSName.from("_" + port + "._tcp." + hostName);
DNSMessage res;
try {
res = client.query(req, Record.TYPE.TLSA);
} catch (IOException e) {
throw new RuntimeException(e);
}
if (!res.authenticData) {
String msg = "Got TLSA response from DNS server, but was not signed properly.";
if (res instanceof DNSSECMessage) {
msg += " Reasons:";
for (UnverifiedReason reason : ((DNSSECMessage) res).getUnverifiedReasons()) {
msg += " " + reason;
}
}
LOGGER.info(msg);
return false;
}
List<DaneCertificateException.CertificateMismatch> certificateMismatchExceptions = new LinkedList<>();
boolean verified = false;
for (Record<? extends Data> record : res.answerSection) {
if (record.type == Record.TYPE.TLSA && record.name.equals(req)) {
TLSA tlsa = (TLSA) record.payloadData;
try {
verified |= checkCertificateMatches(chain[0], tlsa, hostName);
} catch (DaneCertificateException.CertificateMismatch certificateMismatchException) {
// Record the mismatch and only throw an exception if no
// TLSA RR is able to verify the cert. This allows for TLSA
// certificate rollover.
certificateMismatchExceptions.add(certificateMismatchException);
}
if (verified)
break;
}
}
if (!verified && !certificateMismatchExceptions.isEmpty()) {
throw new DaneCertificateException.MultipleCertificateMismatchExceptions(certificateMismatchExceptions);
}
return verified;
}
use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.
the class RRSIG method parse.
public static RRSIG parse(DataInputStream dis, byte[] data, int length) throws IOException {
TYPE typeCovered = TYPE.getType(dis.readUnsignedShort());
byte algorithm = dis.readByte();
byte labels = dis.readByte();
long originalTtl = dis.readInt() & 0xFFFFFFFFL;
Date signatureExpiration = new Date((dis.readInt() & 0xFFFFFFFFL) * 1000);
Date signatureInception = new Date((dis.readInt() & 0xFFFFFFFFL) * 1000);
int keyTag = dis.readUnsignedShort();
DNSName signerName = DNSName.parse(dis, data);
int sigSize = length - signerName.size() - 18;
byte[] signature = new byte[sigSize];
if (dis.read(signature) != signature.length)
throw new IOException();
return new RRSIG(typeCovered, null, algorithm, labels, originalTtl, signatureExpiration, signatureInception, keyTag, signerName, signature);
}
use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.
the class Record method parse.
/**
* Parse a given record based on the full message data and the current
* stream position.
*
* @param dis The DataInputStream positioned at the first record byte.
* @param data The full message data.
* @return the record which was parsed.
* @throws IOException In case of malformed replies.
*/
public static Record<Data> parse(DataInputStream dis, byte[] data) throws IOException {
DNSName name = DNSName.parse(dis, data);
int typeValue = dis.readUnsignedShort();
TYPE type = TYPE.getType(typeValue);
int clazzValue = dis.readUnsignedShort();
CLASS clazz = CLASS.getClass(clazzValue & 0x7fff);
boolean unicastQuery = (clazzValue & 0x8000) > 0;
long ttl = (((long) dis.readUnsignedShort()) << 16) + dis.readUnsignedShort();
int payloadLength = dis.readUnsignedShort();
Data payloadData;
switch(type) {
case SOA:
payloadData = SOA.parse(dis, data);
break;
case SRV:
payloadData = SRV.parse(dis, data);
break;
case MX:
payloadData = MX.parse(dis, data);
break;
case AAAA:
payloadData = AAAA.parse(dis);
break;
case A:
payloadData = A.parse(dis);
break;
case NS:
payloadData = NS.parse(dis, data);
break;
case CNAME:
payloadData = CNAME.parse(dis, data);
break;
case DNAME:
payloadData = DNAME.parse(dis, data);
break;
case PTR:
payloadData = PTR.parse(dis, data);
break;
case TXT:
payloadData = TXT.parse(dis, payloadLength);
break;
case OPT:
payloadData = OPT.parse(dis, payloadLength);
break;
case DNSKEY:
payloadData = DNSKEY.parse(dis, payloadLength);
break;
case RRSIG:
payloadData = RRSIG.parse(dis, data, payloadLength);
break;
case DS:
payloadData = DS.parse(dis, payloadLength);
break;
case NSEC:
payloadData = NSEC.parse(dis, data, payloadLength);
break;
case NSEC3:
payloadData = NSEC3.parse(dis, payloadLength);
break;
case NSEC3PARAM:
payloadData = NSEC3PARAM.parse(dis);
break;
case TLSA:
payloadData = TLSA.parse(dis, payloadLength);
break;
case OPENPGPKEY:
payloadData = OPENPGPKEY.parse(dis, payloadLength);
break;
case DLV:
payloadData = DLV.parse(dis, payloadLength);
break;
case UNKNOWN:
default:
payloadData = UNKNOWN.parse(dis, payloadLength, type);
break;
}
return new Record<>(name, type, clazz, clazzValue, ttl, payloadData, unicastQuery);
}
use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.
the class SRV method parse.
public static SRV parse(DataInputStream dis, byte[] data) throws IOException {
int priority = dis.readUnsignedShort();
int weight = dis.readUnsignedShort();
int port = dis.readUnsignedShort();
DNSName name = DNSName.parse(dis, data);
return new SRV(priority, weight, port, name);
}
use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.
the class ResolverApi method reverseLookup.
public ResolverResult<PTR> reverseLookup(Inet4Address inet4Address) throws IOException {
DNSName reversedIpAddress = InetAddressUtil.reverseIpAddressOf(inet4Address);
DNSName dnsName = DNSName.from(reversedIpAddress, DNSName.IN_ADDR_ARPA);
return resolve(dnsName, PTR.class);
}
Aggregations